Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zeroing In On the Internet's 'Evil Cities'

Posted by timothy on from the their-palantirs-are-everywhere dept.

We've sometimes seen malware sources broken down by country; now a Dutch study attempts to increase the resolution of that information. An anonymous reader writes with some bits gleaned from the recently published study (PDF): "Seoul is the most criminal city on the Internet, followed by Taipei and Beijing. When the population of the top 20 cities is taking into account, Chelyabinsk , in Russia, tops the list, followed by Buenos Aires and Kuala Lampur. These results were found by researchers from the from the University of Twente and Quarantainenet, a security company from the Netherlands. The researchers also found that analyzing attacks' origin at the city level [Original, in Dutch] instead of country level reveals interesting findings. For example, the U.S. ranked #3 in the list of the most criminal countries for the reporting period, while no major U.S. city was found among the most evil ones, while only one European city was listed among the top 20 cities, but 8 EU countries were among the most criminal. It was also observed that the list of criminal cities remains stable over a period time and that when the attack type is taken into account, 50% of the most evil cities remains the same."

18 of 90 comments (clear)

  1. Lack of information much? by msobkow · · Score: 3, Informative

    Serious lack of useful information in the linked articles. The summary is longer!

    --
    I do not fail; I succeed at finding out what does not work.
  2. missing the point by Anonymous Coward · · Score: 5, Insightful

    FTFP:

    In this work, by originated we mean where the attack came from. We do not consider if there
    were other hosts controlling the attacking one

    So this is not about criminal activity. It is about "which city has the most zombies".

    That information is still useful, but not "most evil"

    1. Re:missing the point by Solandri · · Score: 3, Funny

      So this is not about criminal activity. It is about "which city has the most zombies".

      That information is still useful, but not "most evil"

      So it's "most undead"?

  3. Dodgy conclusions... by Anonymous Coward · · Score: 3, Insightful

    Seoul is likely to be at the top of the list not because it's naturally criminal, but simply because it contains the largest proportion of computers connected to a high speed network. With a large enough botnet it's a bit like a city sized data centre.

    1. Re:Dodgy conclusions... by Stormwatch · · Score: 2, Informative

      But most importantly: South Korea has possibly the worst case of Microsoft monoculture in the world.

      --
      Circumcision is child abuse.
    2. Re:Dodgy conclusions... by John+Saffran · · Score: 2

      Exactly, the batch of attacks experienced lately by korean institutions is a clear indicator that there are third parties involved here.

      Having said that the root cause is the negligence of security by both individuals and organizations, but that's no different from any other coutnry in the world .. it just so happens that korea has both very high bandwidth available and very high uptake of the available bandwidth, ie. they're just further ahead in the curve than other countries are regarding the internet, both good and bad aspects.

    3. Re:Dodgy conclusions... by HairyNevus · · Score: 2

      That's really interesting. They blocked themselves into using IE and ActiveX controls exclusively for everything because they couldn't wait for 128-bit encryption to come out in '99. So it's not *just* that they're running windows, but that they have to use IE and still haven't moved over to the 128-bit standard.

      --
      You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
    4. Re:Dodgy conclusions... by Kilrah_il · · Score: 2

      Talk about cherry-picking your data. Don't get me wrong, I also think that using Windows with IE (esp. 6) is a recipe for zombifying your computer. Nevertheless, did you see if other top-malware cities have a MS monoculture? And are there any cities with MS monoculture who are not top malware origins? And after all that, you are still in the correlation!=causation domain, although you will then at least have a valid working hypothesis.

      --
      Whenever in an argument, remember this.
  4. Wrong data for Buenos Aires by Guillermito · · Score: 3, Informative

    In the per capita list, Buenos Aires ranks 2nd, but the city population data they use are wrong. They say Buenos Aires population is 3 million, but that's only Buenos Aires city proper, the whole metro area has an estimated population of about 13 million. So Buenos Aires should rank lower than listed in that study.

  5. Chelyabinsk by ooloogi · · Score: 2

    Chelyabinsk also has a reputation as being the most contaminated city, with nuclear contamination from Mayak. Now maybe there's a connection..

  6. Re:So what's the solution? by billcopc · · Score: 4, Interesting

    That's what I do. There's a handful of countries whose IP ranges I've blocked at the firewall. I typically block the mail ports, and redirect web traffic to a "Sorry we're not available in your region" page with a contact form. The reality is that I don't foresee myself selling any products or services into Asia, Russia, or South America. I don't speak their language(s), I can't process their money, and I sure as shit can't litigate if a deal goes wrong, so why expose myself to unnecessary risk ? There are other web sites to choose from, probably better suited to those specific markets than mine could be, I think it's a win-win.

    --
    -Billco, Fnarg.com
  7. I think this data is all wrong by NoExQQ · · Score: 2

    I could very easily hire a spam group out of any one of these countries to push my malware out for profit but who is really "evil"? The companies in foreign countries that offer the service or the people who hire them? My guess is if we were to follow the money it would lead us to very different places.

  8. Re:So what's the solution? by Doc+Ruby · · Score: 2

    Simple means "not complex" (however many quotes enclose "not complex"). Nuclear war is complex any way you slice it.

    --

    --
    make install -not war

  9. Was this with or without co.cc? by davidwr · · Score: 3, Informative

    Seoul, South Korea was #1 on the list, and it may be for reasons other than just generally good Internet connectivity:

    It's the home of co.cc, which Google recently blacklisted for being a den of evil.

    If it was before the co.cc Google Death Penalty then maybe we should re-run the study in a few weeks.

    From Google pulls co.cc subdomains from search, brings our global malware nightmare to an end:

    Google classifies [the company behind co.cc] as a "freehost" -- it belongs to a Korean [emphasis added] company...

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  10. Re:US bad at country level, not city? by jginspace · · Score: 2

    Does this mean the US just has all of it's malware spread evenly between the many major cities?

    Yes. The problem with this study is the low accuracy of the geoip data for Asia. Hanoi and Ho Chi Minh are around the middle of these lists but one half of the country appears in the geoip lookup as Hanoi; the other half appears as Ho Chi Minh - I'm currently 450km from HCM but that's where Maxmind says I am. I know from experience there are plenty of spammier locales in China than Beijing - again data is just getting aggregated. So the data in their writeup ('paper.pdf') is kind of lame because they only have top-10 and top-20 lists - 60% of which get populated by Asian cities acting as DHCP servers for their whole region. I suspect that if their lists ran down a bit longer we'd see bunches of US cities - perhaps with Phoenix, Arizona the first.

    From TFPDF: The main problem with using GeoPlugin that it relies on the accuracy of Max- mind database [12], of which numbers on accuracy are available [13]. Even though the database is not 100% precise, (Maxmind claims that their “GeoIP databases are 99.8% accurate on a country level, 90% accurate on a state level and 83% accurate for the US within a 25 mile radius”), we believe the results obtained would still hold, even though with some margin for errors.

  11. location of IPs is misleading by PopeRatzo · · Score: 2

    The paper explains that they used the IP locations to see where the attacks were coming from. If someone in Shanghai has a botnet that includes a bunch of machines on a university campus in Missouri and launches his attacks through that botnet, wouldn't it count as an attack coming from Missouri instead of Shanghai?

    I'm not sure I'm comfortable with the methodology of this study. I'm too tired to read it more carefully now, but it looks like it might be making conclusions about "evil cities" that is not really warranted.

    --
    You are welcome on my lawn.
  12. No kidding by Sycraft-fu · · Score: 4, Interesting

    What I think you'll find actually is the cause is more of a cultural thing. I've done no empirical research on this, but I do get a few data point of observations from the large number of Asian grad students we get. I've noticed something that is very common in both Chinese and Korean students:

    1) Pirated software is a way of life. The idea of paying for software is just not really an idea they have. They don't see it as wrong in any way, it is just how you do things. Well while the BSA's stuff about viruses is over inflated, it is based in reality. There are plenty of warez sites out there which have infected software. This seems to be particularly true of Chinese sites. Finding one that isn't ridden with viruses is difficult.

    2) Virus scanners are just something that isn't considered to be needed on computers. This may be in part because of language barriers. Most of the best virus scanners are Eastern European, and the companies market in English primarily. I have noticed since Qihoo has come to be that more Chinese students have scanners, it in particular. Unfortunately it is a really poor virus scanner (gets a ton of false positives and have poor heuristics and so doesn't deal well with unknown malware) so it doesn't do much good.

    3) ISPs that just won't give a shit, at all, about anything. Efforts at contacting Chinese ISPs about problems have never done anything. Most ISPs, if you make them aware of a system causing problems, will take action. Some these days proactively watch their network and shut down problem connections. We've never had any luck with Chinese ISPs. We've even gotten people to translate our message in to Chinese and the response is always "We are not responsible for that IP, please get us the correct IP." They are of course responsible, APNIC confirms it, they just don't care.

    I think that is a large reason why areas like this are so very infected. The propensity for not having a scanner and downloading from any random site makes infection much easier, and since ISPs don't seem to care there is little to stem the tide. You combine that with the normal user ignorance of computer security that we see across the world and there you go.

  13. Re:So what's the solution? by tbird81 · · Score: 2

    "Investigated"?!?!

    What, it's now illegal to have an opinion?! Jesus-fucking-Christ!

    These cities often are in countries shitty governments with little law, and you'd have nowhere to turn if you're ripped off. What's race got to do with it?